On January 25, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. Under the Final Rule, business associates and subcontractors are directly liable to OCR for compliance with the Privacy and Security Rules and may be assessed civil monetary penalties for violations. The Final Rule also expands the definition of the term business associate and requires business associates to execute sub-business associate agreements with subcontractors. The Final Rule also includes important changes to the standard for determining whether a breach of protected health information (PHI) has occurred such that affected individuals must be notified. Specifically, the Final Rule has replaced the previous standard, which required a subjective analysis of whether a breach posed a significant risk of financial, reputation, or other harm to affected individuals, with what OCR calls a more objective standard that presumes a breach has occurred unless the covered entity can demonstrate a low probability that PHI has been compromised based on an analysis of the following four factors: (1) the nature and extent of the PHI; (2) the unauthorized person involved; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the harm has been mitigated. In addition, the Final Rule alters HIPAA’s marketing and fundraising provisions, requiring valid authorization for marketing communications made in exchange for financial remuneration and a clear and conspicuous opportunity for individuals to opt out of receiving fundraising communications. The Final Rule also prohibits the use of genetic information by health plans for underwriting purposes, limits disclosures to health plans where a patient has paid for services out-of-pocket, and requires a covered entity to provide requested records in electronic form where possible.
OCR issued a total of six resolution agreements in 2013, with settlement terms ranging from $50,000 to $1.7M in civil monetary penalties (CMPs), and corrective action plans ranging from 60 days to two years. The 2013 resolution agreements are representative of OCR’s focus on two primary types of action/inaction: (1) ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) unforgivable disclosures. In January 2013, OCR announced its first settlement agreement stemming from a breach involving less than 500 patients reported by Hospice of North Idaho in its annual report to OCR regarding a June 2013 theft of an unencrypted laptop. OCR found failures to conduct a risk analysis regarding PHI on portable electronic devices, to implement appropriate security measures to address potential risks, and to document rationale for decisions as required by the Security Rule. In May 2013, OCR continued its focus on identifying and mitigating security risks by announcing its settlement agreement with Idaho State University regarding an August 2011 incident where PHI was left unsecured for at least 10-months due to the disabling of firewall protections on servers. In June 2013, OCR announced a settlement agreement with Shasta Regional Medical Center stemming from January 2012 improper disclosures of patient information by SRMC leaders to various media outlets. Soon thereafter, in July 2013, OCR announced its resolution agreement, and largest CMP of the year—$1.7M with WellPoint, Inc. regarding security weaknesses in WellPoint’s online application database over 5 months during 2009-2010 which left ePHI accessible to unauthorized individuals over the Internet. OCR focused on WellPoint’s failure to assess security risks, including during a software upgrade which would affect the security of ePHI maintained in its web-based application database. OCR’s fifth resolution agreement of the year, announced in August 2013, again focused on the failure of an organization, Affinity Health Plan, Inc. (Affinity), to assess and identify the security risks and vulnerabilities associated with ePHI. OCR’s investigation focused on Affinity’s impermissible disclosure of ePHI when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company. To end 2013, HHS OCR issued its sixth resolution agreement with Adult & Pediatric Dermatology, P.C. (APDerm), a private practice delivering dermatology services in Massachusetts and New Hampshire. OCR focused on APDerm’s lack of policies and procedures addressing the breach notification provisions of the HITECH Act. As the 2013 OCR resolution agreements demonstrate, organizations of all sizes and types must continue to determine how to best ensure patient access to PHI while also adequately safeguarding PHI into 2014. Enforcement activity is likely to increase in 2014 given OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. Based on the 2013 resolution agreements, covered entities and their business associates must continue to analyze risk, conduct ongoing risk management, and review routine information system as part of an effective HIPAA security compliance program.
In addition to the resolution agreements discussed above, we continued to see healthcare entities respond to data breach incidents throughout 2013. Covered entities reported close to 145 incidents affecting 500 or more individuals, with a large portion of these incidents attributable to lost or stolen unencrypted electronic devices and a number of incidents still arising from paper records. From the 2013 incidents, covered entities continued to learn that breach response does not stop at notification. Plaintiffs in class action litigation continue to assert various causes of action, including under state and federal laws, in an attempt to recover damages due to the alleged failure of a covered entity to protected patient information. In addition to class action litigation, we continue to see OCR and state attorneys general involved in data breach response and investigation. These regulators have not limited their work to covered entities, but have also pursued action against the business associates of such entities. Thus, in the coming year, we anticipate many covered entities and business associates revisiting their business associate agreements, analyzing and allocating risk, and implementing new privacy and security measures to better comply with applicable law.